General

  • Target

    cc1695a2e481381f8e5d8a5bedc46e3e9c02f5644251a887898036408dc9bcbe.bat

  • Size

    241KB

  • Sample

    241113-pyebgasbrd

  • MD5

    d3e16c25b182396111f5878854aff8af

  • SHA1

    203d0e3ea2b0872accc64829a973647d3fc49a62

  • SHA256

    cc1695a2e481381f8e5d8a5bedc46e3e9c02f5644251a887898036408dc9bcbe

  • SHA512

    7ef959f1514d562ea1e832eb7ad4c60174400e28917656a855570b479f491092b7b84ba05d50c2ecc70afce1642c2fcf1e00727ebc35c43a58e129f6f7ed1353

  • SSDEEP

    6144:1ImsCVUZV2Nr6LgY+00yZQoi0gD3hb2N1:VVUT2pSxzgD3h8

Malware Config

Extracted

Family

xworm

Version

5.0

C2

42.96.11.54:25209

Mutex

SFMa6Xk244Z6kSQr

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot5867862670:AAHp7ECfsTluhMCJC4Vl2YYZCQDdUtQ-o18

aes.plain

Targets

    • Target

      cc1695a2e481381f8e5d8a5bedc46e3e9c02f5644251a887898036408dc9bcbe.bat

    • Size

      241KB

    • MD5

      d3e16c25b182396111f5878854aff8af

    • SHA1

      203d0e3ea2b0872accc64829a973647d3fc49a62

    • SHA256

      cc1695a2e481381f8e5d8a5bedc46e3e9c02f5644251a887898036408dc9bcbe

    • SHA512

      7ef959f1514d562ea1e832eb7ad4c60174400e28917656a855570b479f491092b7b84ba05d50c2ecc70afce1642c2fcf1e00727ebc35c43a58e129f6f7ed1353

    • SSDEEP

      6144:1ImsCVUZV2Nr6LgY+00yZQoi0gD3hb2N1:VVUT2pSxzgD3h8

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Blocklisted process makes network request

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks